There are two key trends happening in today\u2019s networks the c-suite executives need to be paying close attention to. The first is that IT teams are struggling to keep up with digital transformation demands, including the move to multi-cloud infrastructures and services, the rapid adoption of IoT networks and devices, BYOD and a highly mobile workforce, and the growing number of shadow IT services popping up in their networks. The second is the alarming growth of increasingly automated attacks that are consistently and successfully targeting known device, application, and network vulnerabilities.The reality is that these trends are related. The unprecedented rate of digital transformation that is consuming your IT resources has also led to basic network and device hygiene becoming the most neglected components of your security posture. And it shows. The biggest attacks of 2017, from Petya to the Equifax breach, all targeted vulnerabilities for which patches had been available for weeks or months. In fact, a full 90% of organizations recorded exploits for vulnerabilities that were at least three years old. Which means that good cyber hygiene still needs to be a fundamental best practice, and is a key to ensuring that your organization\u2019s network is kept secure.But it can be hard to prioritize. Let\u2019s take a look at where to start and what the most important steps are to take.Prioritize VulnerabilitiesOne method for prioritizing is to understand what vulnerabilities are most likely to be targeted. Knowing the kinds of vulnerabilities attackers probe for the most can help determine which assets require prioritized patching. Effective IT teams use cybersecurity reports and then ask pointed and important questions, like \u201cHave we seen these alerts?\u201d and \u201cDo our scans detect these vulnerabilities?\u201d Then make managing those vulnerabilities a top priority on any controls you\u2019re using to protect your cyber assets.It also helps to understand that successful attacks have a higher probability of recurring. Which means that whenever a breach makes the news, look at its attack vectors and check to see if you that same exposure exists in your environment. If so, make it a priority to reduce that exposure or eliminate it altogether.Perform a Risk AssessmentTo really get ahead of vulnerabilities, find out in advance where you need to strengthen your defenses by conducting a risk assessment. The goal of a risk assessment, according to ISACA, is to understand your existing system and environment, and identify risks through analysis of the information\/data collected.NIST\u2019s recent Criticality Analysis Process Model describes \u201ca structured method of prioritizing programs, systems, and components based on their importance to the goals of an organization and the impact that their inadequate operation or loss may present to those goals.\u201dYou should start by gathering all relevant information. Begin with a full inventory of your physical assets, including network infrastructure, laptops\/desktops, IoT, data management systems, and other connected devices. This also needs to include security solutions deployed, such as firewalls, intrusion detection systems, and network monitoring tools.Next, catalog all of the applications and services running in your network, including Shadow IT. You should also understand what information is available to the public about network components, individuals and their roles, applications, and services.Most of this information can be gathered automatically using a variety of tools, such as a SIEM solution.Finally, you need to cross-reference all of this information against compliance requirements that define minimum security controls as well as any documented or even informal policies, procedures, and guidelines.After this information is gathered, a number of tasks need to be performed, including:Identifying near- and long-term business goals that affect IT and securityReviewing existing security policies, standards, guidelines, protocols, and proceduresAnalyzing assets to prioritize potential threats and vulnerabilitiesAssessing physical protections for computing and network componentsAnalyzing security devices, remote access systems, and AAA devices and comparing them against network and business requirementsAssessing the current level of security awareness and commitment of employeesReviewing security agreements with vendors, contractors, and service and cloud providersOnly then can you begin to develop and update your existing risk management and security technologies and strategies.Combatting the New NormalThere is an incredible urgency for organizations, especially those undergoing digital transformation, to reprioritize security hygiene and identify emerging risks. However, as the volume, velocity, and automation of attacks continues to increase, it is also becoming increasingly important to align patching prioritization to what is happening in the wild so you can better focus your limited resources on the most critical and emerging risks. A risk assessment of your environment will help you to combat today\u2019s new normal. Start by using the best practices outlined above to help you create a flexible security strategy that can adapt and protect even as the threat landscape continues to evolve.